Published On: February 27th 2026
Authored By: Mahi Rathod
Renaissance Law College Indore DAVV University
ABSTRACT
This article provides a multi – dimensional and critical examination of the Digital Personal Data Protection (DPDP) Act,2023 along with the transformative data protection rules introduces in 2025. While the primary focus of the DPDP Act remains the safeguarding of personal digital data and establishing a framework for lawful processing, this study goes further to analyze the practical implementation challenge observed in the 2025-2026 period.
The research delves into the core pillars pf the act- such as informed consent, data fiduciary obligations, and the unique rights of Data principals’- while simultaneously evaluating the operational efficacy of the newly established Data protection Board of India. By exploring the procedural developments in data breach reporting and the role of ‘consent manger’ this paper highlights how India is transitioning from a theoretical privacy framework to a robust, enforcement-oriented regime. Furthermore, it assesses the socio-legal impact of multilingual notices and children’s privacy protections, ensuring a comprehensive understanding of India’s evolving digital jurisprudence.
KEYWORDS: DPDP Act, 2023; Right to Privacy; Justice K.S. Puttaswamy v. Union of India; DPDP Rules, 2025; Data Principal; Data Fiduciary; Data Protection Board (DPB)
INTRODUCTION
As India hurtles forward in its journey toward becoming a global digital powerhouse, we find ourselves surrounded by an environment where massive amounts of digital information are generated by citizens every single second. In such a high-stakes landscape, the protection of one personal data has evolved from a simple policy matter into an absolute fundamental necessity for every person living online. The increasing dependency we have on online services has, unfortunately opened the doors to severe risks, such as the unauthorized misuse of sensitive information and a glaring lack of accountability from major corporations.
To counter these modern-day threats, the Digital Personal Data Protection (DPDP) Act,2023 was established serving as a much-needed protective shield for the rights of the ‘Digital Nagarik’. If we look at the legal roots of this legislation, it clearly stems from the monumental judgement in justice K.S. Puttaswamy v. Union of India (2017). [1]In this historic case, the supreme court of India took a bold stand by declaring that the Right to privacy is not just a luxury, but a fundamental Right protected under Article 21 of our Constitution.
From my personal vantage point as a legal researcher, I believe the DPDP Act represents more than just a routine update to the outdated Information Technology Act of 2000. It actually signals a massive shift in how India legally perceives and handles technology and individual identity. By handling back, the ‘ownership’ of data to the ‘Data Fiduciaries’ (entities) to be strictly answerable for their actions, this law creates a new era of digital trust. Now that the 2025 implementation rules have brought this theoretical law into practical reality, we can finally witness a functional enforcement regime in action.
India’s journey toward a data-secure nation is not just a legal necessity but a socio-economic requirement. In an era where digital connectivity has reached every corner of the country, the volume of data generated across various platforms is massive. I believe that the DPDP Act acts as the foundation of our ‘Digital India’ mission. It shifts the power from data-hungry corporations back to the ‘Digital Nagarik’. The 2017 Puttaswamy judgment was the spark, but the 2025 Rules are the fuel that finally makes this protection functional for the common man.
DISSECTING THE CORE ARCHITECTURE OF THE ACT
The DPDP Act, 2023 is essentially a framework designed to balance the power between individual citizens and large data- handling entities. Based on my analysis of the sections you provided, the legislation stands on several pivotal pillars that redefine digital trust in India:
- The Paradigm of informed consent (section 5 and 6): In the earlier digital era, privacy policies were nothing more than a formalistic ritual exercise that no one actually read. However, section 5 now demands that every ‘Data fiduciary’ must provide a notice that is not only clear but also accessible in local languages. From a legal standpoint, Section 6 is a game changer because it insists that consent must be specific, informed, and unconditional. It essentially prevents companies from using bundled – consents, where they used to force users to agree to unnecessary data collection just to use one simple app feature. Section 5 is actually all about making transparency real, not just on paper. The 2025 guidelines have made it clear that notices must be given in various local languages. To me, this is huge because it means your digital rights no longer depend on how well you know English. It makes the law reach every citizen. Then there is Section 6, which I think is the most important part. It finally kills the old habit of assumed agreement, where companies used pre-ticked boxes to grab your data without you even noticing. Now, the rule is simple: if you don’t explicitly say ‘Yes’, they can’t touch your data. This shift to ‘Privacy by Default’ is the biggest upgrade we’ve seen over the old IT Act.[2]
- Empowering the Data principal (section 11, 12 and 13):[3] I believe the true heart of this act lies in the empowerment of the ‘Data principal’. Section 11 grants us the right to access our own information and know how its being used. Section 12 is even more powerful; it allows us to demand corrections if the data is inaccurate, and also introduces the ‘Right to Erasure’. This ‘Digital Eraser’ lets users wipe their data from a company’s server once the work is done. Finally, section 13 completes this circle by giving us the ‘Right to Grievance Redressal’, so we have a formal way to complain if a company doesn’t listen to our requests. I find Section 12 particularly powerful because it introduces what we often call the ‘Right to be Forgotten. By 2026, this has become a necessity if you are done with a service, the company simply cannot hold onto your personal info anymore. It gives you a clean slate. Also, the 2025 Rules have added some real pressure to Section 13. Now, the grievance process is strictly time-bound. Companies can no longer keep users in the dark; they have to acknowledge and act on complaints almost immediately. To me, this is a big win because it finally forces big corporations to take the average user’s voice seriously.
- Section 14: The concept of Digital Succession: A very unique and human-centric feature of this law is the ‘Right to Nominate’. As I have observed in recent legal trends this allows a person to decide who will manage their digital assets and personal data after their death or in case of incapacity. This ensures that our digital legacy is handled with the same privacy and care as our physical property.
- A Balanced Approach: Duties of Data principals (section 15): What makes India’s law stand out globally is that it does not grant rights: it also assigns Duties. section 15 prohibits users from providing false information or filing frivolous complaints. In my view this creates a responsible digital ecosystem where both the company and the user are required to act honestly.
THE DEBATE OVER STATE EXEMPTIONS (SECTION 17)
While the DPDP Act is a massive leap toward protecting citizens, there is a significant debate surrounding section 17 of the act. This particular section provides the central government with the authority to exempt its own agencies from most of the rules of this act, especially in the interest of sovereignty, integrity of India and public order.
In my critical assessment, this provision is a double-edged sword. I personally feel that while it is essential for the state to have access to certain data to maintain national safety and stop criminal activities, it is equally risky. giving such enormous powers to government bodies without a solid system of checks and balances could, unfortunately, lead to a future of mass surveillance. Unlike the private sector, where the ‘Data principal’ has a strong right to give or withdraw consent, the government can process personal data without consent under these specific exemptions. As a researcher, I believe that for the ‘Right of Privacy’ (as per the puttaswamy judgment) to be truly protected, there must be a clear balance between national interest and individual freedom.
The penalty of ₹250 crore is not just a number; it is a deterrent designed to make data protection a ‘top-level’ priority. Earlier, companies saw data leaks as a minor business risk. Now, with such massive fines, data security has moved from the IT department to the Board of Directors. The Data Protection Board (DPB) of India, established recently, has been given the powers of a Civil Court, which means they can summon executives and demand documents. This legal ‘teeth’ is what was missing for the last two decades.
THE COST OF NON- COMPLIANCE: PENALTY REGIME (SECTION 33)
I personally believe that a law is only as strong as its power to punish, and the DPDP Act does not hold back when it comes to financial consequences. Under section 33, the Act introduces a penalty structure that can go up to a staggering ₹250 crore for failing to implement reasonable security safeguards. What strikes me as most significant is that these fines are not just flat rates; the data protection board consider the nature, gravity and duration of the breach before deciding the amount. For instance, if a company fail to notify the board about a data leak it could face a penalty of up to ₹200 crore which is a massive jump for the minor fines under the old IT act. Interestingly, the law even holds us the ‘data principle’ accountable by imposing a fine of up to rupees 10,000 for filing false or frivolous complaints. In my view high stake penalty regime is exactly what was needed to shift data privacy from a mere legal formality to top boardroom priority in India.
RECENT DEVELOPMENTS AND THE 2025-26 IMPLEMENTATION
While the DPDP Act of 2023 laid the foundation for data privacy in India, the real transformation has begun with the notification of the DPDP Rules on November 13, 2025. As I analyze the current digital landscape, it is clear that we are moving away from the old IT Act’s limited scope towards a more robust and ‘Nagarik-centric’ ecosystem as discussed in my earlier sections. Phased Implementation strategy. According
The most significant development in 2026 is the ng to the latest notifications, the government has given a clear timeline: while core rules regarding data processing are active now, complex requirements like the appointment of ‘Consent Managers’ have been given a one-year window to ensure businesses do not collapse under sudden compliance pressure. I personally feel that the introduction of Rule 3 is a game-changer for transparency; it mandates that every ‘Data Fiduciary’ must provide a clear itemized notice of what data is being collected and for what specific purpose.
Furthermore, I have observed that the 2025 rules have added a much-needed layer of protection or ‘Data Principals’ by requiring a direct communication link for consent withdrawal and grievance redressal in every privacy notice.[4] This aligns perfectly with the rights of ‘Correction and Erasure’ that I highlighted from the original Act. In my view, these recent updates prove that India is not just passing a law but is actively building a ‘Techno-Legal’ shield that prioritizes individual privacy over corporate convenience.
CHALLENGES IN IMPLEMENTATION
While the legislative framework of the DPDP Act is undoubtedly a milestone, its actual execution on the ground is where the real complexity begins. Based on my research and observation of the current landscape, there are several friction points that need to be addressed:
- The Burden of Legacy Data: The most significant technical hurdle is for organizations that have accumulated vast amounts of unorganized data over the last decade. Most of their back-end systems were never designed for ‘Privacy by Design.’ Consequently, when a user exercises their ‘Right to Erasure’ locating and permanently deleting every specific data thread from these tangled digital archives becomes a technical nightmare. It is a massive technical debt that companies are now being forced to pay.
- Economic Strain on Small Enterprises: There is a growing concern that while ‘Big Tech’ firms have the capital to adapt, the financial weight of compliance might crush smaller startups. The cost of appointing ‘Consent Managers’ setting up 24/7 grievance channels, and translating every notice into 22 regional languages is eating into their limited innovation budgets. We must ensure that the cost of privacy doesn’t become a barrier to entry for new players.
- The Parental Consent Paradox: Section 9 mandates ‘Verifiable Parental Consent’ for processing children’s data, but the technology to verify this accurately is still in its infancy. In an anonymous digital world, distinguishing between a genuine parent and a tech-savvy minor is incredibly difficult. Without a centralized ‘Gold Standard’ for digital age verification, this remains a grey area where the law is currently ahead of the technology.
- Shifting Corporate Instincts: The hardest part of this transition isn’t just the software; it’s the mindset. For years, the Indian market has thrived on a ‘Data Hoarding’ model collecting as much as possible. Moving to a ‘Data Minimization’ culture, where you only collect what is strictly necessary, is meeting silent resistance in many boardrooms. Treating data as a liability rather than a free asset is a massive cultural shift.
- Administrative Pressure on the Board: Lastly, the sheer scale of India’s population suggests that once the Data Protection Board (DPB) is fully operational, it could be facing an avalanche of complaints. Ensuring that justice is delivered in a time-bound manner across millions of users will be a monumental administrative task that requires unprecedented infrastructure and specialized manpower.[5]
CONCLUSION
To sum up, the DPDP Act, 2023, along with the recent 2025-26 implementation roadmap marks a historic shift for India. We have finally moved from the outdated IT Act to a modern framework that puts the ‘Digital Nagarik’ in control of their own data.
While the heavy penalties of up to ₹250 crore serve as a necessary warning to big corporations, the true success of this law lies in the transparency it brings to our daily digital interactions. In my view, this Act is India’s ‘Digital Constitution ‘It perfectly balances our growth as a tech superpower with every citizen’s fundamental right to privacy. It ensures that in 2026 and beyond, our digital progress is safe, ethical, and respected.
References
[1] The Digital Personal Data Protection Act, 2023, No. 22, Acts of Parliament, 2023 (India); Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1.
[2] Digital Personal Data Protection Act, 2023, §§ 5-6 (India).
[3] Digital Personal Data Protection Act, 2023, §§ 11-13 (India).; Digital Personal Data Protection Act, 2023, § 14 (India).; Digital Personal Data Protection Act, 2023, § 17 (India).
[4] Digital Personal Data Protection Act, 2023, § 33 (India).; The Digital Personal Data Protection Rules, 2025, Ministry of Electronics and Information Technology (Notified Nov. 13, 2025).
[5] Ministry of Electronics and Information Technology, Report on Implementation Roadmap for DPDP Enforcement, Government of India (Dec. 2025).
